From mboxrd@z Thu Jan 1 00:00:00 1970 From: Tobias Geerinckx-Rice Subject: Re: native-inputs ending up as run-time references [was: ISO image available for testing!] Date: Wed, 6 Dec 2017 03:16:45 +0100 Message-ID: References: <877f16z9eo.fsf@gnu.org> <87infv54m3.fsf@gnu.org> <87efqgnn7x.fsf@elephly.net> <878teo59tb.fsf@gnu.org> <20171201183042.GB2504@jasmine.lan> <87tvxadz11.fsf@elephly.net> <87lgiirhsf.fsf_-_@gnu.org> <874lp618iy.fsf@cbaines.net> <87shcoaj2w.fsf@gnu.org> <87bmjcvft3.fsf@netris.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:53005) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eMPE5-0008BO-VD for guix-devel@gnu.org; Tue, 05 Dec 2017 21:14:22 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eMPE4-0007Tv-UD for guix-devel@gnu.org; Tue, 05 Dec 2017 21:14:21 -0500 In-Reply-To: <87bmjcvft3.fsf@netris.org> Content-Language: en-GB List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: ludo@gnu.org, mhw@netris.org Cc: guix-devel@gnu.org Mark! Ludovic! Mark H Weaver wrote on 06/12/17 at 01:52: > ludo@gnu.org (Ludovic Courtès) writes: >> Long story short: we were flagging native inputs as potential >> sources of grafts even though, by definition, native inputs are >> not referred to at run time. > > I agree that this *should* never happen, but I see little reason for > confidence that it never happens in actual fact. Hold on. I thought this happened *all the actual time*. To me, the output of ‘guix graph’ implies that ghc[*] refers directly to perl, and ghc-haddock-library to hspec-discover, and that both of those are native inputs. These are just the first two examples of packages with native inputs that I happened to pull out of my haskell.scm. While Haskell does seem particularly naughty, I've no reason to believe it's unique. Are these not ‘run-time references’? Is your use of the term narrower than mine? > One solution would be to explicitly check build outputs for > references to native-inputs, and to force a build failure in that > case. I was surprised to learn this was not already the case (before I started slowly dragging hissing Haskell packages into the present). I suggest we don't make any security assumptions about it until it is. Kind regards, T G-R